Skip to main content

Libxslt CVE-2025-7424

| EUVDEUVD-2025-20995 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2025-07-10 secalert@redhat.com
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-20995
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 14:15 nvd
HIGH 7.5

DescriptionCVE.org

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.

AnalysisAI

CVE-2025-7424 is a type confusion vulnerability in the libxslt library where the psvi (Post-Schema-Validation Infoset) memory field is reused for both stylesheet and input document processing, enabling memory corruption during XML transformations. This affects any application using vulnerable libxslt versions to process untrusted XML stylesheets or documents, allowing unauthenticated remote attackers to trigger denial of service or memory corruption without requiring user interaction. The vulnerability has a high CVSS score (7.5) with high availability impact, though real-world exploitation probability and active KEV status require confirmation from official sources.

Technical ContextAI

libxslt is a widely-used XSLT processing library that transforms XML documents using XSL stylesheets. The vulnerability stems from CWE-843 (Type Confusion), where the same memory field (psvi) intended for storing Post-Schema-Validation Infoset data is improperly reused across different contexts—both for stylesheet compilation/validation and input document processing. During XML transformations, this field confusion causes the processor to interpret stylesheet-related metadata as input document data or vice versa, leading to type mismatches in memory access patterns. Affected CPE strings typically include cpe:2.4:a:xmlsoft:libxslt (all versions with this vulnerability), commonly distributed with glibc-based Linux distributions, macOS via Homebrew, and embedded in web servers (Apache with mod_xslt), document processors (LibreOffice via its XSLT engine), and enterprise XML platforms.

RemediationAI

Immediate actions: (1) Identify all systems using libxslt via package managers (apt list --installed | grep xslt, rpm -qa | grep xslt, brew list | grep libxslt) or embedded in applications; (2) Apply vendor-provided patches immediately upon release—monitor xmlsoft.org and your OS vendor's security bulletins for patched libxslt versions; (3) If patches are unavailable, implement compensating controls: restrict XML/XSLT processing to trusted sources only, disable XSLT processing features if not required, run libxslt-dependent services in restricted containers/sandboxes with resource limits to minimize DoS impact. Longer-term: (4) Upgrade to patched libxslt versions once available (follow vendor release notes for specific version numbers); (5) Implement input validation and schema enforcement to reject malformed or suspicious XSLT stylesheets before processing; (6) Monitor for publicly disclosed POCs and adjust response priorities accordingly.

CVE-2024-55549 HIGH POC
7.8 Mar 14

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. Rate

CVE-2025-24855 HIGH POC
7.8 Mar 14

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can

CVE-2016-4607 CRITICAL
9.8 Jul 22

libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows,

CVE-2012-6139 MEDIUM POC
5.0 Apr 12

libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (

CVE-2016-4610 CRITICAL
9.8 Jul 22

libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows,

CVE-2016-4609 CRITICAL
9.8 Jul 22

libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows,

CVE-2016-4608 CRITICAL
9.8 Jul 22

libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows,

CVE-2022-29824 MEDIUM POC
6.5 May 03

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for i

CVE-2019-11068 CRITICAL
9.8 Apr 10

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permi

CVE-2015-7995 MEDIUM POC
5.0 Nov 17

The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which a

CVE-2017-5029 HIGH
8.8 Apr 24

The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98

CVE-2021-30560 HIGH
8.8 Aug 03

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit he

Vendor StatusVendor

Ubuntu

Priority: Medium
libxslt
Release Status Version
bionic released 1.1.29-5ubuntu0.3+esm3
focal released 1.1.34-4ubuntu0.20.04.3+esm2
jammy released 1.1.34-4ubuntu0.22.04.5
noble released 1.1.39-0exp1ubuntu0.24.04.3
plucky released 1.1.39-0exp1ubuntu4.1
trusty released 1.1.28-2ubuntu0.2+esm5
xenial released 1.1.28-2.1ubuntu0.3+esm4
upstream released 1.1.44,1.1.43-0.1
questing released 1.1.43-0.3

Debian

Bug #1109123
libxslt
Release Status Fixed Version Urgency
bullseye fixed 1.1.34-4+deb11u3 -
bullseye (security) fixed 1.1.34-4+deb11u3 -
bookworm, bookworm (security) fixed 1.1.35-1+deb12u3 -
trixie (security), trixie fixed 1.1.35-1.2+deb13u2 -
forky, sid fixed 1.1.43-0.3 -
bookworm fixed 1.1.35-1+deb12u2 -
trixie fixed 1.1.35-1.2+deb13u1 -
(unstable) fixed 1.1.35-2 -

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.73 Container suse/sl-micro/6.1/baremetal-os-container:2.2.0-3.1 Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Affected
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Micro 6.0 Fixed

Share

CVE-2025-7424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy